Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

hijack this log file

chrisbeam

Posted 06 June 2008 - 01:27 AM

chrisbeam

New Member

Member

5 posts

My husband's computer is having a problem with key loggers and backdoor trojans. he plays WOW and has had his account stolen due to these problems. here is he hijackthis log file. Thanks in advance for your help.

Advertisements

Tal

Posted 06 June 2008 - 03:34 PM

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!

Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.

NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

I don't see a keylogger at the moment, but I see suspicious internet security settings that could possibly mean that somebody tried to keylog your husband. To check whether there is a keylogger, we will make a deeper scan now as this log looks clean but these suspicious entries, but I would recommend you to change all of your online-banking passwords from a safe computer, just to be safe.

Step1 : Fixing entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)

When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

Event Record #/Type11077 / WarningEvent Submitted/Written: 06/05/2008 08:24:36 PMEvent ID/Source: 1524 / UserenvEvent Description:Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11065 / WarningEvent Submitted/Written: 06/05/2008 05:37:30 PMEvent ID/Source: 1524 / UserenvEvent Description:Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type37950 / WarningEvent Submitted/Written: 06/06/2008 07:22:27 PMEvent ID/Source: 3004 / WinDefendEvent Description:%DRAGON27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DRAGON27 can't undo changes that you allow.

For more information please see the following:%DRAGON275

Scan ID: {DDA0072B-F313-4213-8B86-55C19D62212B}

User: DRAGON\RAC

Name: %DRAGON271

ID: %DRAGON272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DRAGON276

Alert Type: %DRAGON278

Detection Type: 1.1.1593.02

Event Record #/Type37949 / WarningEvent Submitted/Written: 06/06/2008 07:22:27 PMEvent ID/Source: 3004 / WinDefendEvent Description:%DRAGON27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DRAGON27 can't undo changes that you allow.

For more information please see the following:%DRAGON275

Scan ID: {D8F78135-7689-401E-BFDE-EE421ABB3CDA}

User: DRAGON\RAC

Name: %DRAGON271

ID: %DRAGON272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DRAGON276

Alert Type: %DRAGON278

Detection Type: 1.1.1593.02

Event Record #/Type37948 / WarningEvent Submitted/Written: 06/06/2008 07:22:24 PMEvent ID/Source: 3004 / WinDefendEvent Description:%DRAGON27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DRAGON27 can't undo changes that you allow.

For more information please see the following:%DRAGON275

Scan ID: {84B80ED8-2F1B-4BE2-B099-1EDC155E7DE0}

User: DRAGON\RAC

Name: %DRAGON271

ID: %DRAGON272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DRAGON276

Alert Type: %DRAGON278

Detection Type: 1.1.1593.02

Event Record #/Type37947 / WarningEvent Submitted/Written: 06/06/2008 07:22:24 PMEvent ID/Source: 3004 / WinDefendEvent Description:%DRAGON27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DRAGON27 can't undo changes that you allow.

For more information please see the following:%DRAGON275

Scan ID: {D0021402-99E0-4E95-AE29-0637F2DFA518}

User: DRAGON\RAC

Name: %DRAGON271

ID: %DRAGON272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DRAGON276

Alert Type: %DRAGON278

Detection Type: 1.1.1593.02

Event Record #/Type37946 / WarningEvent Submitted/Written: 06/06/2008 07:22:24 PMEvent ID/Source: 3004 / WinDefendEvent Description:%DRAGON27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DRAGON27 can't undo changes that you allow.

For more information please see the following:%DRAGON275

Scan ID: {59DB8DD0-AECB-4E5A-8EA0-F440FAAEFFBE}

User: DRAGON\RAC

Name: %DRAGON271

ID: %DRAGON272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DRAGON276

Alert Type: %DRAGON278

Detection Type: 1.1.1593.02

-- End of Deckard's System Scanner: finished at 2008-06-06 19:24:37 ------------

Tal

Posted 07 June 2008 - 05:57 AM

I don't see much here - not anything that can be related to a keylogger. Anyway, let's do this and get a deeper scan.

Step1 : Batch script

Please open a new notepad file in a convenient location, such as on your desktop. Paste the following code into it:

sc stop NwSapAgent
sc delete NwSapAgent

Now please click File > Save As... > Name the file BatchFix1.bat > Change the filetype setting to All Files > Hit Save. Now locate the file and double click it - a black window will appear on the screen for a moment then disappear - this is normal.